[Ltb-users] ssp and ppolicy
Sebastian Perkins - Hoist Group - Switzerland
sebastian.perkins at hoistgroup.com
Fri Sep 1 16:02:16 CEST 2017
Le 01/09/2017 à 14:45, Sebastian Perkins - Hoist Group - Switzerland a écrit :
>>If you use a blanck entry as binddn, you will not be able to use reset features (mail/questions/sms) as in this case the old password of the user is not known.
Silly me of course I simply cannot bind without the working pass :D
Some updates on the test I am performing :
· ldapS is used with root dn bind
· no salt, no hash ssp side to let the ldap server encode the pass itself (in order to key the pwdHistory entries identical)
Works fine from the classic "change" gui interface ! (ppolicy returns the generic error message)
However our preferred token via mail option seems to bypasses the tests on policy (but updates the hashes with an identical one)... and no "current pas" email, (which makes sense for a reset), but still bypasses...
I am using the stock debian Jessie package
dpkg --list | grep self
ii self-service-password 1.0-2 all LDAP password change web interface
My understanding is that the reset token via mail - as it has no current password - binds with the root dn instead of the user dn and therefore bypasses ppolicy ?
Consultant en logiciels libres, Expert infrastructure et sécurité
137 boulevard de Magenta - 75010 PARIS
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ltb-users